Re: Sending warning of virus via procmail

Hi Rob,
  My apologies. Obviously I misunderstood your recipe. I would not want to
implement a similar notification to my users because we're stopping more
than a thousand viruses each day and I simply would not want the
additional traffic on the network.
  But it sure would let the userbase know that the e-mail administrator is
earning his or her keep!

Take care,
Dave

-- 
David W. MacDougall, E-mail administrator
The Post and Courier
843.937.5655

Rob Lists said:
> Guys, check my recipe a bit more.  It sends the notice to the RECIPIENT of
> the virus email on my network letting them know a virus headed in their
> direction has been thwarted.  It doesn't do flip for the sender since we
> all
> know those addresses are mostly spoofed.  It does drop the original
> headers
> in as the body of the message so someone with a bit of smarts can see if
> they needed to get in touch with their cousin Joe.
>
> On Wed, 01 Oct 2003 23:42:55 -0400 (EDT), David W. MacDougall wrote
> > Rob,
> >   Let me echo what has already been said. As one who spends a lot of
> > time trying to keep annoying e-mail out of my users' inboxes, I
> > decided last year to turn off virus notifications that our NAVIEG
> > server was sending. They seem like a courtesy, but because most of
> > the viruses prevalent today use spoofed "sender" addresses, they are
> > a huge nuisance.  With this last Sobig go 'round, we received far
> > more auto-generated warnings than actual Sobig messages. I am using
> > several recipes to catch auto-generated virus warnings and dispose
> > of them before they get to the users.
> >
> > Take care,
> > Dave
> >
> > --
> > David W. MacDougall, E-mail administrator
> > The Post and Courier
> > 843.937.5655
> >
> > Rob Lists said:
> > > Greetings,
> > >
> > > I've worked up a recipe to send out a warning to the user when clamAV
> > > finds
> > > a virus.  This recipe also puts the actual infected mail in a folder
> > > called
> > > VIRUS.  It all seems to work well, however, if I have verborse logging
> on
> > > I
> > > get an error message during my message composition.  Here is the
> relevant
> > > (I
> > > hope) section of the recipe that deals with creating the notice.  This
> > > section first checks to see if the ClamAV header is there and if it's
> not
> > > clean do the following (infected).  First, create and send an email to
> the
> > > user about their message being infected and the headers included.
> Second,
> > > put a full copy in the users $MAILDIR/VIRUS file.
> > >
> > > :0
> > > * ^X-ClamAV: \/.*
> > > * ! MATCH ?? ^^clean^^
> > > {
> > >
> > >   :0w
> > >   {
> > >     # Grab the entire header for the body of the message
> > >     # Grab the Virus name for the Subject line.
> > >     HEADER = `formail -X "" `
> > >     VIRUS  = `formail -xX-ClamAV`
> > >
> > >     :0
> > >     | ( echo "From: Postmaster(_at_)dympna(_dot_)com"; \
> > >         echo "To: $LOGNAME(_at_)dympna(_dot_)com"; \
> > >         echo "Subject: ** Virus eMail with $VIRUS"; \
> > >         echo "No auto-reply was sent to the originator of this
> > virus";\
> > >         echo "infected email.  You may with to contact the person
> > in";\
> > >         echo "the >From: line below."; \
> > >         echo " ";\
> > >         echo "Following are the headers that were extracted from the
> > > email:";\
> > >         echo " ";\
> > >         echo "$HEADER" ) | $SENDMAIL -oi -t
> > >   }
> > >
> > >   :0:
> > >   $VIRUS_FOLDER
> > >
> > > }
> > >
> > > Functionally, this completes just fine and does exactly what I want.
> > > However, I'm getting this message from the verbose logging:
> > >
> > >
> > > procmail: Executing "formail,-xX-ClamAV"
> > > procmail: Assigning "VIRUS= Worm.Gibe.F FOUND"
> > > procmail: Executing " ( echo "From: postmaster(_at_)dympna(_dot_)com"; \
> > >         echo "To: $LOGNAME(_at_)dympna(_dot_)com"; \
> > >         echo "Subject: Email with $VIRUS"; \
> > >         echo " ";\
> > >         echo "Following are the headers that were extracted:";\
> > >         echo " ";\
> > >         echo "$HEADER" ) | $SENDMAIL -oi -t "
> > > procmail: Error while writing to " ( echo "From:
> > postmaster(_at_)dympna(_dot_)com";
> \
> > >         echo "To: $LOGNAME(_at_)dympna(_dot_)com"; \
> > >         echo "Subject: Email with $VIRUS"; \
> > >         echo " ";\
> > >         echo "Following are the headers that were extracted:";\
> > >         echo " ";\
> > >         echo "$HEADER" ) | $SENDMAIL -oi -t "
> > > procmail: Assigning "LASTFOLDER= ( echo "From: 
> > > postmaster(_at_)dympna(_dot_)com";
> > \
> > >         echo "To: $LOGNAME(_at_)dympna(_dot_)com"; \
> > >         echo "Subject: Email with $VIRUS"; \
> > >         echo " ";\
> > >         echo "Following are the headers that were extracted:";\
> > >         echo " ";\
> > >         echo "$HEADER" ) | $SENDMAIL -oi -t "
> > >
> > > I don't understand what the error is from.  It completes, what am I
> doing
> > > wrong?
> > >
> > > Also, I'd love to hear other ways of doing this...I came up with this
> > > solution on my own after trying out a couple of pipes to external
> scripts.
> > > I'm sure it's not the most elegant or possibly even correct!  I just
> -had-
> > > to have some form of notification.
> > >
> > > (BTW, just noticed I need to change postmaster(_at_)dympna(_dot_)com to
> > > security(_at_)dympna(_dot_)com or something like that)
> > >
> > > -Rob
> > >
> > >
> > > _______________________________________________
> > > procmail mailing list
> > > procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
> > > http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
> > _______________________________________________
> > procmail mailing list
> > procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
> > http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail